If you are an Arch user, you know – AUR (Arch User Repository) is a double-edged sword—it’s incredibly useful but requires caution. Unfortunately, that caution was warranted yet again this week when three AUR packages were found to contain malware.
The issue came to light on July 16 when a user uploaded a malicious package, librewolf-fix-bin, to the AUR. Within hours, two more packages—firefox-patch-bin and zen-browser-patched-bin—followed, all traced back to the same bad actor.
Security researchers quickly identified the threat: a Remote Access Trojan (RAT) hidden in a script pulled from a GitHub repository. For those unfamiliar, a RAT is no joke—it can grant attackers full control over an infected system, enabling them to steal data, install additional malware, or spy on users.
Thankfully, the Arch Linux security team responded promptly as soon as they became aware of the issue. By July 18, all three malicious packages had been removed from AUR. However, if you installed any of these before they were removed, your system could still be at risk. So, what should you do?
- Remove them immediately—don’t wait.
- Check for signs of compromise—unusual network activity, unexpected processes, or unfamiliar files could be red flags.
- Consider a more thorough security sweep—malware like this can linger if not completely removed.
This isn’t the first time malicious packages have slipped into the AUR, and (probably) it won’t be the last. As you know, AUR is a community-driven repository that’s separate from the official Arch package sources. In other words, anyone can upload software to it.
Yes, it is an absolute goldmine for extra software and one of the biggest reasons people love Arch, with tens of thousands of packages to choose from. But as this shows, it does come with some risks. So, whenever you install something from AUR, just be sure to tread carefully.
For more information, here’s the message on Arch’s mailing list.
If I used arch and installed any of those I would immediately isolate the the system from the network and either restore from a backup prior to this happening or reinstall the entire system since these type of things are impossible to really know if they where fully removed. I currently use ubuntu and use snaps and flatpaks and usually try to stick to official sources and software that I know I can trust. I never have really liked arch since out of the box it is missing standard security features some of which would never be easy to implement such as selinux since even a team of people would struggle to do this correctly. Even apparmor if installed is basically doing nothing without the end user doing even more.
Interesting sentence: “However, if you installed any of these before they were removed…”
Is it an option to install it AFTER they where removed? Probably better “However, if you installed any of there when were available…”
Interesting sentence: “However, if you installed any of there when were available…”
Is it an option to install it when they’re NOT availabe?
Sorry, could not resist 🙂
About the wording, I don’t really see an issue but you could simply omit that part:
“However, if you installed any of these, your system could still be at risk”